This is a great little article that I came across talking about stopping FTP brute force attacks in OpenBSD or FreeBSD (both of my favorite OS’s). It assumes that your using PF as your firewall (which you should!).
You can easily stop bruteforce attacks by limiting connections per IP using pf
firewall under FreeBSD or OpenBSD.
Open /etc/pf.conf
# vi /etc/pf.conf
Update it as follows:
# the lists of known FTPD attackers
table persist file “/etc/pf.ftp.block.list”
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state (max-src-conn-rate 5/40, overload flush global)
Above will block FTP connections more than 5 times in 40 seconds. Also append the following line to /etc/rc.shutdown to keep changes after the reboot:
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.ftp.block.list' >> /etc/rc.shutdown
Finally, reload pf firewall:
# /etc/rc.d/pf reload
To list currently blocked IP (attackers IP), enter:
# pfctl -t ftp-attacks -T show
